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INTRODUCTION 

This otudy has a twofold purpooe4 The first is to present an 
overview of the large scale computers installed at DOD and AEC facilities. 
Many of these computers are operated under various types of security 
requirements and have operating systems designed to resist unauthorized 
use or control. The second purpose of this study is to supply as many 
facts as possible about the operating systems that predominate at DOD 
and AEC installations, with special reference to those aspects that 
particularly bear on operating system security. It can be seen from 
Table 1, a census of computers and their locations, that computers 
at DOD and AEC installations mainly come from four main sources: IBM, 
Univac, Control Data Corporation, and Honeywell Information Systems. 
In Tables 2, 3» and *4 operating systems of these four manufacturers 
are broken down and listed bo that their characteristics can be compared. 
Specifically, the following four operating BystemB will be looked at 
in detail : 

a. IBM's OS/MVT for the 360/370 series 

b. Honeywell GCOS III 

c. UNIVAC EXEC-8 

d. Control Data Corporation's SCOPE 3.U 

In Table 2 the basic parameters of these operating systems such 
sb word length, size, SYSGEN times, etc. are listed and, where applicable, 
their derivation is explained. 

Table 3 lists operating system characteristics of a more detailed 
nt&ure. In this table, however, the characteristics are not only 
listed but are also explained or defined and basic differences between them 
aro proocntod. 



Table '« rnnparcn the complete rnritfe of IBM nupcrvinor calln (oVC'o) 

with the equivalent operating nyntcm features of Honeywell, 'UNI VAC, 

and CDC. Supervloor calls are particularly significant from the point 
i ' . ■ < 

; of view of operating system security "because they are one of the most 

, i 

logical areas from which attempts to gain control of the system can 

/-•'■■ • . ■ . ■ 

>'' 

be ma£e« 



TAmLK 1. Crri::un of Large Gcalc 
Computer Gyntcmn at 1X)I) and AEC Facilitico 



Computer 
Syotem 



Number at 


Number at 


DOD Facilitieo 


AEC Facilitieo 


61 


6 


*1»0 


6 


17 





11 


3 


2 





2 


'. 2 


. 2 





39* 


1 


8 


20 





6 


1U 





6 


3 





Ik 



IBM 360/50 
IBM 36.O/65 
IBM 360/67 
IBM 360/7.5 
IBM 360/85 
IBM 360/91 
IBM 360/95 

WIVAC 1108 

i 

CDC 6000 series 

I: 

'CDC 7600 

Honeywell 600 series 
XDS Sigma 7 
DEC PDP-10 



Note: For purposes of this listing, a large scale computer is defined 
aa being roughly equivalent to or larger than an IBM' 360/50 in terma 
of Bpeod» computing pover t throughputs etc. 



.' TABLE 2. Comparison of Basic Operating System Parameters 



■ 
' Operating 

System 


Word 
Length 


Instruction 
Length 


Size of 

Resident 
OS 


Size of 

Basic 

OS 

; 


Size of 
Total 

OS 




, SYSG2 


:\ t::~- 


Start J 


* 


IBM 


32 Bits 


■2,U or 6 
Bytes 


15CS-200K 
Bytes 


BA 


5 Million 

32-Bit- 
Words 


15-30 

Minutes 




• Honeywell 
GCOS III 


36 Bits 


36-Bits 


19£ Words 


U6lK Words 


2.1 Million 

36-Bit 
Words 


5 Minutes 


1 

1 


U3IVAC 
E2ZC-8 


36 Bits 


36 Bits 


UO-50K 
Words 


330K Words 


2 Million 

36-Bit r 
Words •' 


15 Minutes 


1 Ecir 

i 


CDC 
SCOPS 3.U 


60 Bits 


15 or 30 
Bits 


16K-32K 
Words 


NA 

• 


2.5 Million 

60-Bit 
Words 


ha 





IZ^ZTD 
5A-Tn format ion not available 



Not-rn to TuMp ?:_ 

Mot.hodn of ent. Imr\t> tng operating nyntcm nlzc . The estimate given for the 

size of IBM's OS/MVT was baaed on a count of the instructions in a microfiche 

i 

, i 

deck of the complete syBtem. This method was checked against an estimate 
of nyntcm nize baood on tho amount of dink npnco it ooaupion nt nyntcm 
generation time. The size estimates for the Honeyvell UNIVAC, and CDC 
operating systems are based on the 'amount of disk space they occupy at 
system generation time. Note the following : t 

a. IBM's 360/370 OS/MVT is contained on 3 » 000 microfiche cards. 
There are 1*5 frames per card. Assume that each card is f0% full (i.e. 

uses 30 frames per card) and that each frame contains about 1*5 instructions. 
Multiplying the three numbers ve get a total of 1*.2 million instructions. " 
A method for cross-checking the total number of instructions is that OS/ 
MVT occupies 75 percent of a 231** pack containing a total of 21 million 
bytes. If the average instruction takes 1* bytes, and the system occupies 
15*75 million bytes, the total number of instructions is 3. 96 million. 

b. Honewyell GCOS III with timesharing, utilities, test routines, 
and library occupies 5U5 links on diBk. Each link is 38U0 words. With 
one instruction per word, GCOS III has about 2.1 million instructions. 

c. UNIVAC EXEC 8 with library and compilers occupies 1*00,000 wordB. 

Each word is 36 bits and each instruction is 36 bits long (i.e. one instruction 

* 
per word)* Thus EXEC ,8 is composed of about 1*00,000 instructions. 



(I. Clin r.COl'K [\.U ncruplni 300 record block n on a dine pnok. Kadi 
record block contain 50 acctora and each oector contains 6U 60-bit words. 
Thus SCOPE is composed of approximately 1 million 60-bit words. The 
CDC 6000 series machines have 15- or 30-bit instructions. Based on an 
estimated ratio of 15-bit to 30-bit instructions, the total number of 
instructions is about 2.5 million. 

e. The core resident portion of the above operating systems depends 
on facility parameters. On the average, each. operating Byst em occupies 
about 32,000 wordB of core. 



TABLE 3. Comparicon of Detailed Syotera Characterintics 



System 


IBM 


HONEYWELL 


U1IIVAC 


CDC 

i 




Characteristic 


OS/MVT 


GCOS III 


• EXEC-8 


SCOPE '3.U 


Multiprogramming 


yes 


yes 


yes 


yes 


Multiprocessing 


] yeB 


yes 


yes 


yes 


Batch Processing 


yes 


yes 


yes 


yes- 


Time Sharing 


■j&r(0 


yes 

• 


t&l® 


no 


Remote Batch Processing 


yeB 


yes 


yes 


yes 


Real-time Processing 


yes 


yeB 


yes 


no 


Notes to Table 3 




' ' - 




V 





1. All of the following components are common to the above system: 

a. System Startup : This is the process of initializing the operating 

system for normal processing. System initialization is achieved by loading 

a system-tailoring routine. This routine then processes system configuration 

information. 

*>• Scheduler : This module schedules Job tasks into the system 

execution queue. Job tasks are placed in the queue after all resource 

requests ore satisfied. TaskB are usually scheduled by priority and classt 
Ct Dispatcher : This module allocates CPU time to tasks queued for 

execution. Normally, the dispatching queue is arranged by priority. 

If the CPU is available, the dispatcher will remove the task from the queue 

and assign it to the CPU until ouch time as the task requires supervisor 

aid or terminates. / 



d. Peripheral Allocator : Thia module schedules and allocates all 
peripheral devices (drums, disks, tapes, etc.) requested by programs. 
This is done by keeping inventory tables of facilities available and 
facilities assigned. 

e. Storage Allocator ; This module is* responsible for allocation 
of internal storage (core memory) t*. user tasks • Again, thie is 
normally done by priority. 

f. Interrupt Handlers : These modules provide interface (supervisor 
calls) between the user and the system. They also include modules which 
execute recovery action in the case of program or hardware faults. 

g. IPS : The I/O Supervisor (IOS) is a set of modules which initiate ' 
I/O and respond to I/O termination. Whon an I/O roquoot io issued, 

the IOS checks the channel and device for availability. If both are 
free, the I/O operation is initiated. If not , the request is placed 
on a channel or device queue. In addition, the IOS provides for I/O 
interrupt handling, translation of file codes to physical units, and 
file protection. . 

h. System Input and Output : This set of modules handles the input 
and output of user programs. When a Job is entered into the system a 
group of modules associated with the input device will set up program 
files for the Job. Similarly, the output modules supervise the transfer 
of output data from the output files. 

i. File Manager : This set of modules controls the various data 
files within the system. File management functions are invoked to 

locate files, to permit or restrict user access to files, and to provide 

i 
back-up and restoration services in case of file damage. Master directories 

or catalogs are maintained with cataloging controls available to the user* 
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J. Ubilitl.cn and System Programs : These include library routines, 

compilers, assemblers, loaders, etc. 

2. The following paragraphs summarize basic differences between operating 
I < 

systems in the categories of: I/O operations, supervisor programs, 

memory configuration, and storage protection! 

a. I/O Operations For IBM, Honeywell, and UNIVAC, I/O commands 
are issued through the central processing unit in supervisor mode. 
Commands are executed by specialized I/O processors. For CDC, I/O 
commands originate and are executed through one of the peripheral 
processors. 

b. . Supervisor Programs For IBM Honeywell, and UNIVAC the supervisor 

*~ 

is. run 'on the central processing unit. For CDC, a good portion of 

<"\ 
tHta Supervisor 1b run on Peripheral Processor which sits as master 

\y ' ;, . 

control over all other processors.' 

c. Memory Configuration 

IBM: 20^8 bytes per block 

Honeywell: 262, lUU words per module B organized into blocks of 

102h wordn. 
UNIVAC: 65»536 wordB per bank, with interleaving of even and odd words. 
CDC: U096 words per bank with phasing of 32 banks. 

d. Storage Protection 

• IBM: Storage key for every 20U8 bytes 
i 
Honeywell: Hardware register with field length control 

CDC: Hardware register with field length control 

UNIVAC: Storage-limits register containing upper and lower bounds 

of instructions and data. 



11 



( j > ■ : i| < :\ H_j -.o n nT i'npprvlnor Colin, Mp nt,r?r Mode Entryn, and Executive [Wjn'iMtn 
(Tabic '0 

General Information 

IBM, Honeywell and UNIVAC , The first portion of Table U lists 
118 IBM supervisor calls (SVC's) in numerical order and their equivalents 
in the Honeywell and UNIVAC systems. Included with each SVC is its 
description. Following thiB list is a list of IBM service and I/O 
macros along with their equivalents in the other systems. The remainder 
of the table consists of a listing of the Honeywell Master Mode Entrys 
(MME'b) and UNIVAC Executive Requests (ER's) that do not correspond to 
any of the IBM SVC'b.. As with the other calls, descriptions are provided. 
Included in this listing is a compilation of UNIVAC subroutines and 
procedures and Honeywell Bervice requests. 

CDC . CDC is not included in this table of comparisons because the 
SCOPE operating system has a considerably different design from the other 
three systems. This difference stems from the fact that the CDC 6000 
series machines are composed of eleven independent computers and, hence, 
need a much different type of operating system and service calls. CDC* 8 
SCOPE operating system has only five distinct calls. TheBe are: 

TIM Return Time , 

END Normal End 

ABT Abnormal End 

RCL Recall 

CIO I/O Request 
The CIO call contains all the file management requests such- as OPEN, CLOSE, 

v ■ ! ■ 

READ and WHITE. . 



Table h. Comparison of Supervisor Calls , Master Mode Entry's, and Executive Requests 



/ 




Supervisor or Service Call Designation 


■-KJC-E AND DESCRIPTION 


IBM 


HCinYWZLL GCS3 III 


UNI VAC EXZC 6 


C? - execute channel, program 


SVC 






IT - wait for an event 


SVC 1 


GZH1LC (M) 


AWAIT$ 


3? — signal event completion 


SVC 2 


GEEI3I (M) 


* 


IT - SVC routine exit (return from) 


SVC 3 




EXCT$ 


IMAH7 - allocate storage v/o register 


SVC k 


GEMORE *(M), ADDMEM (D) 


MC0RE$ 


UMAZa - frees storage 


SVC 5 


GEMR2L (M), EELMEM (D) 


LC0RE$ 

9 


IDC - LOAD and transfer control 


SVC 6 


CALLSS (D) 


RLinK$, LINK$ 


IL - transfer control to another load 

nodule 


SVC 7 


GECALL (M) 




rD - loads task, no control transfer 


SVC 8 




L0AD$ 


LZTZ - relinquish control of load module 


SVC 9 


RETURN (D) 


EXLNK$, UNLNK$ 


Z-yj-JZi - register GETMAIN/FREEMAIN ' 


SVC 10 






•2 - provides date and time 


SVC 11 


GETIME (M) , TIME (D) 


DATE$, TDATE$, 


TCH - synchronous exit, transfer from 
supervisor to user program 


SVC 12 






~17D - abnormally- terminate a job 


SVC 13 


ABORT (D) 


AB0RT$, EABT$, ERR$ 


'3 - specify program interrupt exit, 
user's own fault processing 


svc ik 




IALL$ 



ru 



Table k (Continued) 



.' 




Supervisor or Service 


Call Designation 




NAME AItf?> DESCRIPTION 


IBM 


HONEYWELL GCOS III 


UNIVAC EXZC o 


ERREXC? - retry of^hartfiel- program 


SVC 15 








PURGE - removed specified I/O requests 


SVC 16 








RESTORE - complement of PURGE 


svc 17 








BLDL/FIIID - build list from information 
from a PDS directory /Establish 
beginning of a data set member 


svc 18 








OPEN - logically connect a data set 


svc 19 


' 


B0PEN$, IHOPN 




CLOSE - logically disconnect a data set 


SVC 20 


RETFIL (D) 


BCL0F$, IHCLR, IECLF 
BREL RELESE, gCLOSE, 
BCL0R$ 




STCn - update PDS directory 


SVC' 21 








OPENJ - a JFCB is supplied by user to be 
used during initialization (OPEN) 


SVC 22 








TCLOSS .- CLOSE but revinds. tape v/o 
updating the label 


SVC 23 








DEVTYPE - locate device characteristics 


SVC 2k 








TRKBAI .- track balancing 


svc 25 








CATALOG/ INDEX/ LOCATE - maintain the catalog 
and the VTOC 


svc 26 




. PFX$ t PFS$ 




03TAIN - get DSC3 into main storage 


svc 27 








OPENEXT - open a catalog to extend it 


svc 28 








SCRATCH - delete a data set on direct 
access device 


SVC 29 


GERELS *(M) 


PFD$ 





UJ 



Table U (Continued) 







Supervisor or -Service Call Designation 
1 


NAME AND ZZSCRIPIION 


IBM 


HONEYWELL GCOS III 


UN I VAC e>z: 





RENAME - change data set name 


SVC 30 








FEOV - force end- of- volume condition 


SVC 31 




BBE0F$ 




ALLOCATE - request space en I/O device 


SVC 32 


GEMORE *(M) 






I/O EALT - stop processing on a tele- 
processing device 


SVC 33 


DRLDSC (D) 






HGCR - master command ^recessing 
• _ (scheduling routine) 


SVC 2h 








WTO/WTOR --write to o?eratorA Tite - to 
operator with reply 

WTL -' vrite to log 


SVC 35 
SVC 36 


C0NS0L (D)»* 


C0M$ 




SEGLD/SEGWT - segment load an£ segment 
load and wait (overlays) 


SVC 37 








TTROlTZSR - Testran facility 


SVC 38 








LABEL - write volume label -sets onto tape 
in either EBCDIC or ASCII 


SVC 39 




LABELS 




EXTRACT - extract information from the 
task control "block (TC3) . 


SVC 1*0 


ATTRI (D) 






IDENTIFY - establish another entry, point 
to a task 


SVC Ul 








ATTACH - create a new task 


. SVC 1*2 




ACT$, F0RK$ 




CTE3 - create interrupt request block 


SVC 1*3 


GENEWS (M) 






CEA? - change dispatching priority 


SVC UU 








OVLYBRCH - transfer control to another 










overlay segment 


SVC 1*5 









- Table Ik (Continued) 







Supervisor or Service 


Call Designation 




eai-s A:rD description 


IBM 


HONEYWELL GCOS III 


UTIIVAC EXEC 


3 


TTIM2R - test interval timer 


SVC U6 


GELAPS (M) 


TWAIT$ 




STIM2R - set interval timer 


SVC kj 


GEWAKE (M), GWAKE (D) 






DEQ - release a serially reusable resource 


SVC U8 








TTQP22T • 


SVC 1*9 








null 


SVC 50 








2£iA? - snapshot dump (dump and continue) 


SVC 51 


GESNAP (M) 


SNAP$ 




EESTA3T/SK3 Reader-to help process check- 
point restarts and read SM3s , 


SVC 52 




0PT$ 




EELZ"' -•■• release exclusive control after read 
under exclusive control * 


SVC 53 








DTSA3LE - lock out interrupts 


SVC 5k 




gENABLE 




ZOV - en d-of -volume and end of data set 
condition, check error conditions 


SVC 55 




BMARK$, gMARK 




2ZTQ - request control of a serially 
reusable resource 


SVC 56 








FHEED3U? - free dynamically obtained 
buffer (obtained by READ) 


SVC 57 








HEQ3UF/RSL3U7 - access to dynamic buffer 
management 


SVC 58 








OLTZ? - provide on-line test system 
v/facility to system control code 


SVC 59 








STAI/STAI - specify task abnormal exit 
return control to user after ABEND 


SVC 60 









Table k (Continued) 







Supervisor or Servic 


e Call Designation 


NAME Alii) -riSrpJPTION 


IBM 


HONEYWELL ' GCOS III 


UNI VAC exzc 


a 


TSAV - Used vith Test ran 


SVC 61 


- 






DSTACH - deletes subtask (removes TCB) 


svc 62 


GEBORT (M) 


DACT$ 




CEXPT - establish checkpoint for Job step' 


svc 63 


GECHEK (M) 


gCKPT, §RSTP.T 




'EDJFCB - read job file control block from 
disk 


svc 6k 








QWAIT - telecommunications WAIT 


svc. 65 








BTAM TEST - telecommunications on-line 
test 


svc 66 








Q?CST - telecommunications POST 


svc 67 








STnADAJ/SYITADRLS - analyze permanent 

I/O error/release SY3AJDAF buffer and 
save areas 


SVC 68 








BSP — backspace current volume one block 


svc 6*9 








GSZRV - graphics service ' ": ' 


svc 70 








ASGT BFR/ELSE BFR/BUFTT^ - buffer 
processing and manipulation 


svc 71 








CHATH - status display interface, MCS, 
DIDOCS processor, 27^0 processor 


svc 72 








SPAR - Specify- attention. Used vith GAM 


SVC 73 








DAR - Damage assessment routine 


SVC Ik 








Dequeue routine used vith GAM 


SVC 75 










svc 76. 









c\ 



Table k (Continued) 







Supervisor or Service 


Call Designation 




NAME AND DESCRIPTION 


IBM 


HONEYWELL GCOS III 


UNIVAC EXEC 


c 


C3I2 


SVC T7 








LSPACS - total space still available on 

volume ., 


SVC ?8 








STAT"J3 - change subtask's dispatching 
status 


SVC 79 








GJP/CrrX - graphic Job processor/graphics 
interface task 


SVC 80 
SVC 81 








H^iirrO - load character set for UCS 

^TjLnte'** 




EXSZAjAL 


SVC 82 








SEV=i 


SVC 83 








He st art Address Routine 


SVC 8k 








SV A? — Dynamic Device Reconfiguration 
Processor 


SVC 85 


GEFILS (M) 


TSWAP$ 




ATLAS — assign an alternate track and 
copy data from the defective track 


SVC Q6 








UGH — delete operator message 'from CRT 


SVC 87 








>ED £3- emulator program 


SVC 88 








ZT-SZRV - emulator service 


SVC 89 








Z£!CTG5 - job management 


SVC 90 








T*. T ^""" 1 • "-1 


SVC 91 








TCBEX'"-' 


SVC 92 









Table k (Continued) 







Supervisor or Service 


Call Designation 




NAME AIID DESCRIPTION 


IBM 


HONEYWELL GC0S III 


UNIVAC EXEC r 




TtHT/TPUT-obtain input from/transmit 
output to the terminal 


SYC 93 


GER0UT (M) 


CMI$/CM0$ 




TERMCTL - terminal control 


SVC 9k 




CMS$, CMSA$ 




TSI? - time-sharing processing routine 


SYC 95 






- 


STAX - specific time-sharing attention 
exit 


SVC 96 








TZ3T (TSO) - "breakpoint handler 


SVC 97 








TSO PROTECT ■■-.■-•.' 


SVC 98 








TSO Dynamic Allocation -■ 


SVC 99 








use* "by SUBMIT, OUTPUT, OPERATOR, AND 
CANCEL/STATUS Processors 


SVC 100 








QTX? - provide interface between TSO sub- 
system and the MCP ~"~ 


SVC 101 








TCAM - telecommunications access method 


SVC 102 




. CMD$, CMH$. 




ZLATS - translation between ASCII and 
EBCDIC 


SVC 103 








TCAM - telecommunications access method 


SYC 10U 




CMT$ 




IKGLIB - DEB and DC3 manipulation for SYS1. 
1MGLIB (Image library) 


SVC 105 








Type 3 and type U SVC routing routine 


SVC 109 








'2t9^ 1 SVC routing routine 


svc 116 








Type 2 SVC routing routine . 


SVC 117 









K 



Table U (Continued) 



NAME A1ID DESCRIPTION 



Supervisor or Service Call Designation 



IBM 



HONEYWELL GCOS III 



UNI VAC EXEC 3 



CHECK - vait for and test completion of 
a READ or WRITE operation 

NOTE - Provide relative position 

POINT - position to a block 

GET3UF - obtain a buffer 

GETPOOL - build a buffer pool 

-FPZEPOOL - release a buffer pool 

INCLUDE - include a load module into 
job step 

BDAM HEAD 

ESAM and BPAM READ 

C.SAM and QISAM GET 

3DAM WRITE . 

BSAM and BPAM WRITE 

QSAM and QISAM PUT 

PUTX - vrite' record from an existing 

data set .. 

Exit from an ESI activity, return 

specified buffers, activate previously 
named activity 

ASCII punch 



CHECK (macro) 
NOTE (macro ) 
POINT (macro) 
GETBUF (macro) 
GETPOOL (macro) 
FREEPOOL (macro' 

INCLUDE (macro) 
READ (macro) 
READ (macro) 
GET (macro) 
WRITE (macro) 
WRITE (macro) 
PUT (macro) 

PUTX (macro) 



GERSTR (M) 



GESAVE (M) 



WANY$, VAIT$ 
F?VL$ 

PFUWL$, gFIND 
CADD$,CGET$ 
C?OOL$ 
, CRZL$ 

KAME$, RLIST$, IN 
BH3ZD$, IHRDRN, 10$ 

4 

B3ZAD$, 10$ 
IEHD, I0W$, READ$ 
BHVHT$, IHWTRN, 10$ 
BWRIT$, 10$ 
IEV3T,I0W$, PRIN?$ 

IHDRN 
ADACT$ 



vr 



APCHCA$, APCHCN$, APNCHA$ 
APUNCH$ 



Table k (Continued) 





Supervisor or Servic 


e Call Designation 


•NAME AiiT) DESCRIPTION 


IBM HONEYWELL GC03 III 


univac z:<zc 3 


ASCII print 






APRINT$, A?RN7A$, .-2: 
APRTCII$ 


: _~. - 


ASCII read; 






" AREAD$, AREATA* 




Contingency node termination-notify 
the executive that interrupt 
handling is completed 






CEND$ 




Expand buffer pool 






CJ0IN$ 




Allcvs user to define his own set of control 
statements and register them vith the exec. 






' CLIST$ 




Retrieve condition vord 






C0HD$ 




Ccntr.:-! statements submitted for inter- 










pretation and processing during 
execution 






CSF$ 




Retrieve file assignment information 




GEFCOIT (M) 


FACIL$, FACIT$, FITIM* 


Permit unsolicited console input 




■ 


11$ 




Initiate arbitrary device I/O 




GEINOS (M), DIO (D) 


I0ARB$ 




Initiate arbitrary device I/O 

simulating an exit function and control 
return' to program 






I0AXI$ 
101$ 




Initiate I/O with interrupt activity 
101$ and wait 




• 


I0WI$ 





Table h (Continued) 



Supervisor or Service Call Designation 



NAME A1VD DESCRIPTION 



IEM 



HONEYWELL GCOS III 



UNIVAC EXEC 



Exit and 101$ 

Eetrieve master configuration table 
Master file directory manipulation 
Terminate real tine status 
Program Control Table retrieval 
Processor state vord control 

FL3CE 

PRIST ALTERNATE & CONTROL 

READ alternate 

Line terminal transfer - altering 
•ccrmrumi cat ions paths 

Establish real time status complement 
of NRT$ * 

Set condition vord 

Eetrieve time of day 

Initialize tape .file to beginning of 
first reel 

Print then read (Field data) 



LPSW (instr) 



CGROUT (D) 



GEREIS (M), GESETS (M) 
ESTSWH (D), SETSWH (D) 



EEV (D) 
KOUTN (D) 



10X1$ 

MCT$ 

MSC0N$ 

HRT$ 

PCT$ 

PSR$ 

PHCHA$, PUNCH$ 
PRHTA$, PRTCA$, PRTC3$ 
READA$ 

R0UTE$ 

RT$ . 
SETC$ 
TIKE$ 

TINTL$ 
TREAD$ 



■v 



Table U (Continued) 



Supervisor or Service Call Designation 



NAME Aim DESCRIPTION 



ib:-! 



HONEYWELL GCOS III 






Allov interrupt activity to reduce its 

priority- 
End courtesy call 
Physical file address request 
File System Entry Request 
File and Record Control Entry 
Journalization and subfile page range 
Information entry outside of BAR linits 
Load Base Register 
Loop rrotection 
I/O Priority 
Deal locate Peripherals 

Causes program to he taken out until all 
outstanding requests (I/O, courtesy calls) 
are completed ' 

Reinstate or Roll back Program 

Supply Sequence number 

Special Interrupt Request 

Write on Sysout 

User - Supplied MME 



UNLCK$ 



GEENDC \ 


!m). 




GEFADD 1 


;m) 




GEFSYE { 


!m), 


FILACT (D) 


GEFRCE < 


[M) 




GEIDSE { 


[M) 




GEINFo'l 


!m) 




GELBAR { 


[M) 




GELOOP ( 


[M). 




GEPRIO i 


;m) 




GERELS { 


;m) 




GEROAD { 


;m) 




GEROLL { 


;m) 




GESNUM ( 


>M), 


SNUMB (D) 


GESPEC < 


r M) 




GESYOT ( 


;m) 




GEUSER .{ 


M) 





ro 
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5 


£BM 


HONEYWELL GCOS III 


univac exec 6 


Enter Master Mode 




.EMM (M) 




Abort "batch job frcn TS5 . 




ABTJOB (D) 




Access a snail block of core the systen 
maintains for each user 




CORFIL (D) 




Allov tine-sharing subsysten to access 
IDS file 




IDS (D) 


. 


Allov tine— sharing task to obtain status 
of batch Job 




. JSTS (D) 




Retrieve last line of input 




KIN (D) 




Force Keyboard output frcn a parti ally- 
fill ef buffer 




KOTNOW (D) 


■ 


Keyboard output frcn a buffer 




KOUT (D) 




Object progran tine and size check 




OBJTZM (D) 




Pass list of files to subsysten 




PASAFT (D) 




Pass file nanes and descriptions 




'PASDES (D) 




Pass file to Renote Batch Processor 




PASFLR (D) 




Pass progran description to subsysten 




PREDES (D) 




Sinulated Keyboard Input 




PSEUDO (D) 




Overlay-load a subsysten 




• RESOTR (D) 




Save progran on permanent file 




DRLSAV (D) 




Initiate line-nunbering node, store line 
nunber and increment value 




SETLNO (D) 





rc 
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NAME AND DESCRIPTION 


IBM 


HONEYWELL GCOS III 


UNIVAC EXEC 3 


Pass file to "batch processor 




SPAWN (D) 




Stop paper Tape input 




STOPPT (D) 




Cause subsystem to be killed 




SYSRET (D) 




Start paper tape input 




TAPEIN (D) 




Spavn Batch activity from TSS 




TASK (D) 




Bequest Terminal type and line Number 




TERMTP (D) 




Define and access a temporary file 




DEFIL (D) 




Space a linked file 




FILSP (D) 




Enlarge a file already opened 




GROW (D) 




Add links to a temporary file 




MORLNK (D) 




Partial Release of a temporary file 




PART (D) 




Svitch Temporary File Names 




SWITCH (D) 




Do I/O on system file 




PDIO (D) ** 




Pass user ID and priority to Executive 




USERID (D) ** 




Log on New User vithout disconnect 




NEWUSR (D) ** 




Stop Execution of Master subsystem 




STPSYS (D) ** 




Write Statistical Collection File 




■ T.STAT (D) ** 





LEGEND 
*This MME performs more than one function 
**Theee are privileged instructions 
(M)-Master Mode Entrys (Batch) 
(D)-Derails" (Time Sharing) 
v/c- Without 



ABBREVIATIONS IN TABLE k 

DIDOCS - Device independent display operator console support 
DSCB - data oet control block 
ER - Executive Request (UNI VAC) 

ESI - externally set index (not set inside^ machine) • 
GAM - Craphics Access Method 
JFCB - Job file control block 
MCS - Multiple Console Support 
MCP - Master Control Program 
MME - Master Mode Entry (Honeywell) 
PDS - partitioned data set 

8MB - contains JCL (job control language) information 
SMF - System Management Facility 
TCB - task control block 
VTOC - volume table of contents 

27^0 Processor - performs OPEN and CLOSE functions (27^0 Communications 
Terminal) 



T. iTriry-V,-;,?;,,!. _. K^HYUT: 

This lo.itiuro is not supported on IBM 0/S or Univnc EXKC-8 when 

runuinr in the secure mode. The weak point in checkpoint ic that r.ystan 

I.mIi1>\'. nnint be* wriU.cn out nn a marm ntornr.e device. Upon rcntart 

i 

ih»» jiyiil.riu must, accept; a;? fact the Informal, l.on and table n recovered 

from macs • storage, thus any piece of information that will N cause the 

operating system to do thingo it ohould not, can be modified to give 

the checkpoint program special privileges. 

This is a problem in GCOS III, SCOPE 3 A, IBM 0/S, EXEC-8 



II. Files and Catalogs 

The protecting of files and catalogs from illegal users are a problem 
in all systems. In the CDC 76OO SCOPE Operating System, it is possible to 
open the master directory of all users by knowing the name of the master, 
directory. In IBM OS, it is possible to open a VTOC as a file thus enabling 
a user to modify file entries in VTOC. The modification takes the form of 
altering passwords and file links. 

In CDC 6060 SCOPE, the system lets the user decide if he wants control 
back, if the password was in error. This creates the possibility of 
modifying and issuing passwords with no time or count limits. 

Master catalogs must be protected in a special manner. Catalogs must 
have greater protection than files. 



III. User /System Interface 

A. Improper Parameter Checking 

Because of the complexity of operating systems, the interface between 
user and system causes a multitude of combinations of parameter lists which 
are difficult to check. 

For example, in IBM OS it is possible to make the system load a 
system overlay into an area not assigned to it. Because of hardware features 
and core allocation, it is possible to fool the operating system by creating 
phony tables and positioning them in the correct place. 

B. Improper Exit 

The operating system relies on a parameter accessible by the user to 
determine actions, branches, or exits. 

For example, in CDC SCOPE 3.2 it is possible to hang up the system by 
setting the done flag in the Status Field of the Fet Table. 

In GCOS III, it is possible to handle your own interrupts, and fork 
two addition processes. 

In IBM OS, issuing a STOW request which does not have a valid 
entry will return a pointer of the next entry, which the user should not know 
about. The STAE and SPIE request also^cause problems with user handling 
interrupts. If the user exits while waiting for an interrupt request 
undetermine results can occur. 



IV. I/O Problems 

Because the way to get the best thorough put is to have asynchrous 
I/O, the I/O subsystem becomes vulnerable to I/O aborts and table filling. 

Any system which has features to let users handle his own interrupts 
must not have asynchrous events with regards to this user. 

In SCOPE 3.2 CDC 6000, it is possible to disturb the I/O because of 
timing delays created by different peripheral processes routine executing to 
satisfy one request. 

In OS 360, the problem is the fact that all requests to the same device 
are queued through an I/O handler. If the program or request is destroyed 
or terminated while in this queue, undert ermine results will occur. 

In GCOS III, it is possible to scavenge the temporary buffer space 
which the system uses as a work area. 



V. Improper Overlay Handling 

Both system and user overlays are accomplished by table look-ups. It 
becomes essential that the tables be secured from the user. The order 
of search of the libraries are important. 

Routines that use pointer values, as either a Jump location or entry 
into a routine, should check the pointer value for lower and upper bound 
conditions. 



VI. Assigning Authority to System Routines 

Access methods or loaders or any other routines should not run 
with supervisor mode, if there is no need. This restriction does not apply 
to a CDC 6600 with its peripheral processors "because the PPUs are 
independent. In this case, care should be exercised by controlling the 
programs allowed to run in the peripheral' processor. 



VII. Priority of System Jobs 

If the priority of certain system Jobs in the system ore incorrect, 
an asynchrous attack on that particular area of scheduling may produce 
data being read that should not have been read either out of memory or mass 
storage. 



VIII. Loads and Preloads 

If the loaders handles the libraries in a perscribed manner, it is 
possible to insert a look alike module name to be found in a private 
library instead of being found in its correct library. 

An example of this, is the overlay loader which searches the 
userlib for a system overlay supervisor before looking for it in the 
system lib. 



IX. Default Conditions and Names 

Default conditions and names should not "be used to short cut 
a check. All conditions should he validified and checked. 



X. Queueing of Tables 

System tables and queues should be checked to determine the end 
conditions to queues. 



XI. Collusion 

The using of two or more programs or users to bring about any of the 
above conditions. 



XII. Trojan Horse 



